server actions called from outside host
Unanswered
Sage Thrasher posted this in #help-forum
Sage ThrasherOP
I'm using next.js v14.2.13 and I was reading the "[How to Think About Security in Next.js](https://nextjs.org/blog/security-nextjs-server-components-actions)" blog, which says this:
I'm currently receiving mass requests to one of my server actions (they're coming in batches at an interval) from people abusing my site. Why is next.js not rejecting these requests? I know they're going through because my logs display messages only logged from this action.
The user agent from these requests is
As an additional protection Server Actions in Next.js 14 also compares the Origin header to the Host header (or X-Forwarded-Host). If they don't match, the Action will be rejected. In other words, Server Actions can only be invoked on the same host as the page that hosts it. Very old unsupported and outdated browsers that don't support the Origin header could be at risk.
I'm currently receiving mass requests to one of my server actions (they're coming in batches at an interval) from people abusing my site. Why is next.js not rejecting these requests? I know they're going through because my logs display messages only logged from this action.
The user agent from these requests is
Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1 OPX/2.5.75 Replies
@Sage Thrasher I'm using next.js v14.2.13 and I was reading the "[How to Think About Security in Next.js](<https://nextjs.org/blog/security-nextjs-server-components-actions>)" blog, which says this:
> As an additional protection Server Actions in Next.js 14 also compares the Origin header to the Host header (or X-Forwarded-Host). If they don't match, the Action will be rejected. In other words, Server Actions can only be invoked on the same host as the page that hosts it. Very old unsupported and outdated browsers that don't support the Origin header could be at risk.
I'm currently receiving mass requests to one of my server actions (they're coming in batches at an interval) from people abusing my site. Why is next.js not rejecting these requests? I know they're going through because my logs display messages only logged from this action.
The user agent from these requests is `Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1 OPX/2.5.`
this protection is only a CSRF protection.
your attackers are probably performing the attack from a server-side script, for which nextjs has no way of knowing. you need to implement anti-DDOS mechanisms yourself.
your attackers are probably performing the attack from a server-side script, for which nextjs has no way of knowing. you need to implement anti-DDOS mechanisms yourself.
first and most your server action runs behind a authentication
if its for login or register just implement a intact captcha solution like turnstile
or implement your own
also using cloudflare requires 0 work and handles most of the exploits and vulns
@joulev this protection is only a CSRF protection.
your attackers are probably performing the attack from a server-side script, for which nextjs has no way of knowing. you need to implement anti-DDOS mechanisms yourself.
Sage ThrasherOP
how would you recommend me implementing this anti-ddos mechanism? All of the IPs for this request are unique and the user-agent for the most part are the same however not all, and its not many requests, probably about 20 ish every (unknown) interval
im also hosting serverless on vercel, so these requests are increasing our function invocations which will eventually cost us money
@Sage Thrasher how would you recommend me implementing this anti-ddos mechanism? All of the IPs for this request are unique and the user-agent *for the most part* are the same however not all, and its not many requests, probably about 20 ish every (unknown) interval
Cloudflare protection, check ip ranges, captcha
Also since you already identified a uniform user agent, can try just blocking it via Vercel Firewall
@joulev Cloudflare protection, check ip *ranges*, captcha
Sage ThrasherOP
we do have cloudflare, i had looked into it and saw 'ratelimiting' under WAF, however because of the server actions, after 1 refresh users were getting ratelimited, is it possible to only add protection to specific methods (in this case, POST)
@joulev Also since you already identified a uniform user agent, can try just blocking it via Vercel Firewall
Sage ThrasherOP
i dont know much about useragents, and how unique they are, however wouldn't this cause issues for legimate users with the same useragent?
@Sage Thrasher i dont know much about useragents, and how unique they are, however wouldn't this cause issues for legimate users with the same useragent?
What is the user agent? Any other common points in the request headers?
Sage ThrasherOP
The user agent from these requests is
Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1 OPX/2.5.i got this from vercel logs so im not sure for other headers
Ok cannot block this ua then. Can use recaptcha
It filters out bots and only run the expensive operations after recaptcha passes
If the attack is enough to cause even recaptcha checking to hit serverless function limits, Cloudflare and Vercel should be able to block it without configuration
Sage ThrasherOP
is it possible to only do this on POST requests of a "specific" (allow dynamic, e.g. /forms/{id}/post) endpoint?
but keep in mind the check runs on serverside so its better to first configure cloudflare or vercel correctly
cause attackers can still request that endpoint
Sage ThrasherOP
yeah thats what i mean, is it possible to do that check (post reqs on the dynamic url) in cloudflare so it doesnt get to my server if deemed to be an attack
uhm yeah
cloudlfare has some automated bot protection rules
Sage ThrasherOP
do you have any good articles or such that you can recommend to implement something like this? i'm not 100% familiar with cloudflare and all its features
to be really honest
most of the articles are outdated
just look yourself
or
directly take a look at cloudflares docs
or maybe
join up cloudflares discord
check this
@gin <@726059166875254856> https://developers.cloudflare.com/ddos-protection/best-practices/respond-to-ddos-attacks/
Sage ThrasherOP
i did look into the ratelimiting rules however i didnt know how to only ratelimit POST requests, because when i load onto the page, some server actions are called then when i refresh i got ratelimited because of the server action calls, i know i can just increase the limit but it would be a lot easier if i can restrict to only checking POST
Sage ThrasherOP
both of them?
i would only check the first
second could cause seo issues
Sage ThrasherOP
ah thats true
i thought i had the first one enabled, but apparently i dont
i've just enabled it
Sage ThrasherOP
would you recommend keeping it at high or putting it back down to medium once these mass requests start to stop?
yeah
u can put it back to medium once it stops
press on deploy
Sage ThrasherOP
would it make much of a difference? if not i would probably leave it on high
not for normal users
@gin press on deploy
Sage ThrasherOP
yup
@gin Click to see attachment
Sage ThrasherOP
is there any in particular you would recommend? i dont want to enable a bunch and sacrifice performance for regular users
@Sage Thrasher is there any in particular you would recommend? i dont want to enable a bunch and sacrifice performance for regular users
uhm that wont really impact perfomance tbh
i dont know how big your app or whatever is
i would just select all and see if it stops
then basically decreasing protection time by time
Sage ThrasherOP
@gin we're still receiving a bunch of these requests, do you have anymore suggestions?